In the halls of Georgia Tech, where groundbreaking research and technological innovation are daily pursuits, a different kind of breakthrough is making waves. The U.S. Department of Justice has stepped into the ring, backing a whistleblower lawsuit that pits the renowned institution against its own cybersecurity practices.
At stake is not just Georgia Tech's reputation, but potentially the future of how research universities will gain federal contracts and tackle cybersecurity compliance.
The lawsuit, initially filed by two former senior members of Georgia Tech's cybersecurity compliance team, Christopher Craig and Kyle Koza, paints a troubling picture of systemic failures in meeting Department of Defense (DoD) cybersecurity requirements. Here are the key allegations:
This lawsuit is part of a broader effort by the U.S. Department of Justice to ensure that government contractors and subcontractors are honest about their cybersecurity efforts. It reflects the growing prioritization of cybersecurity at the federal level, as evidenced by recent executive orders, publicized security strategies, and tightened security requirements like CMMC 2.0, which builds upon NIST SP 800-171.
One thing’s for certain: Even the most prestigious institutions are not immune to scrutiny and potential legal action. The government is getting serious about cyber, shown by the litany of memos and demands on tightened cybersecurity by the White House, Pentagon, and even congress.
For research universities, the implications of non-compliance extend far beyond potential legal penalties. At stake are their reputation and credibility in the academic and research communities; the ability to even secure future government contracts and funding; and more pragmatically, the protection of valuable research data and intellectual property.
The Georgia Tech case, not unlike the case made against Penn State University last year, is further proof of the federal government's commitment to enforcing cybersecurity standards in academia.
As we learned with the Penn State debacle of similar proportions last year, the Georgia Tech case offers several crucial lessons for other research institutions:
As the Georgia Tech case demonstrates, a robust, data-centric approach to cybersecurity is no longer optional for research universities. Solutions like Virtru email encryption and Virtru Secure Share offer highly secure ways for research universities to share information — encrypting data at the object level, governing data access, and ensuring compliance with federal standards.
By implementing strong data protection measures, universities can safeguard their research, maintain compliance, and continue to drive innovation without compromising security.
The message is clear: compliance is as crucial to a university's mission as its research output. It's time for all research institutions to take note and act accordingly.
If you’re a cyber leader wanting to make quick, effective progress toward demonstrating data security in compliance with regulations like CMMC and ITAR, contact our team. We’d love to work with you to bolster data protection and strengthen compliance in your research programs.